Virus Database

Shimmer Family

Description Shimmer Family

These are dangerous memory resident multipartite viruses. They infect the boot sectors of the floppy disks, and create BAT and EXE worms with the virus body inside. To install their TSR copies the viruses use HMA and video memory.
The method of infection of the BAT files is the same as used in "Winstart" virus. The "Shimmer" virus creates the WINSTART.BAT file in the C:WINDOWS directory and writes itself into there. While executing an infected WINSTART.BAT the virus creates INSTALL.EXE file, and executes that file. INSTALL.EXE contains the virus installator, its code hooks INT 2Fh,40h and overwrites with the virus code the boot sectors of the floppy disks that are accessed.
On loading from infected floppy the virus hooks INT 1Ah, waits for DOS loading, hooks INT 21h, and creates the C:WINDOWSWINSTART.BAT worm during the first call to INT 21h. Then the virus disables its infection routine.
The viruses have the bugs and may halt the system. "Shimmer.b" outputs the string "ATM0L0S0=1O1" to the COM port. The viruses contain the text strings:
"Shimmer.a"
:yt
@echo.PKX>install.exe
@copy/b install.exe+%0.bat>nul
@install.exe
c:windowswinstart.bat
New Shimmer

"Shimmer.b"
:y~ATM0L0S0=1O1
@ECHO PKX>INSTALL.EXE
@COPY/B INSTALL.EXE+%0.BAT>NUL
@INSTALL.EXE
C:WINDOWSWINSTART.BAT

Check other viruses! Be aware! Use Antiviral Software

ADT.1778

Description ADT.1778

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and when any program is executed, searches for COM and EXE files in the directory from where the program is run, and writes itself to the end of the file. When a debugger is run, the virus displays the text:
-------------##########-############----##############---------####-----------
------------###########-##############--##############---------####-----------
-----------#####--#####-#####----######------####--------------####-----------
----------#####---#####-#####----######------####--------------####-----------
---------##############-#####----######------####---------------##------------
--------###############-#####----######------####---------------##------------
-------#####------#####-##############-------####-----------------------------
------#####-------#####-############---------####---------------##------------

On 19th of any month the virus also hooks INT 9 (keyboard) and displays the text " Andreas" at the cursor position.

Advent.2764

Description Advent.2764

This is non-resident harmless virus that upon execution, infects COM and EXE files. It infects EXE files in a standard way, and in COM files, it replaces the first 23h bytes in the file beginning with a jump to the virus body.
The major parts of the virus are encoded. The virus don't activate if the string "VIRUS=OFF" is found in the ENVIRONMENT.
From mid-November, the virus runs itself by wishing a user "MERRY CHRISTMAS!" accompanied by simple pictures and a basic musical tune.

Home